b'\t                                                        February 2014\n\n\n\n                                                        INFORMATION SECURITY\n                                                        Evaluation\tof\tFTC\xe2\x80\x99s\tInformation\tSecurity\t\n                                                        Program\tand\tPractices\tfor\tFiscal\tYear\t\n                                                        2013\t\n                                                        What\tWe\tFound\t\n\n                                                        The IG\xe2\x80\x99s independent FISMA evaluation for FY 2013\n                                                        determined that the FTC is in substantial compliance with\n                                                        applicable security and privacy requirements.\n\n                                                    \t   The IG\xe2\x80\x99s CyberScope FISMA metrics submission to the\n\t\n                                                        Department of Homeland Security showed that FTC\nWhy\tWe\tDid\tThis\tStudy\t\t                                 information assets are reasonably protected against threats\n\t                                                       originating from within and outside the agency, but there are\nThe Federal Information Security Management             opportunities for improvement. These include process\nAct of 2002 (FISMA) provides a comprehensive            changes to Information Technology (IT) governance practices\nframework for ensuring the effectiveness of             and continued maturation of the FTC security and privacy\ntechnical, administrative, and physical security        programs.\ncontrols over Federal information resources.\nFISMA requires an annual Inspector General              FTC information security and privacy programs are maturing\nevaluation of compliance with FISMA                     through self-initiated actions and improvements initiated in\nrequirements and related information security           response to IG recommendations:\npolicies, procedures, standards, and guidelines\nand an assessment of the level of security                  \xef\x82\xb7   Documentation is revised and standardized as part of\nafforded to associated information assets.                      ongoing operations and maintenance activities;\n                                                            \xef\x82\xb7   Enterprise-level oversight practices are improving as\nThe evaluations provide agency senior                           newly instituted IT governance boards begin to\nmanagement and others with the information                      influence IT planning and resource allocation; and\nneeded to determine the effectiveness of overall            \xef\x82\xb7   Security and privacy processes are revised to\nsecurity programs, ensure the confidentiality and               accommodate changes in governmentwide\nintegrity of data entrusted to the FTC, and to                  requirements.\ndevelop strategies/best practices for cost\neffectively improving information security.             The foundation for a National Institute of Standards and\n                                                        Technology risk-based model was laid in FY 2012 and\nThe FTC Office of Inspector General contracted          continues to evolve; however continued improvement of the\nwith Allied Technology Group, Inc. to conduct an        FTC information security and privacy programs requires\nevaluation to determine the status of the FTC\xe2\x80\x99s         consistent application of information security and privacy\ninformation and privacy programs at September           policies.\n30, 2013, as required under FISMA and\nassociated guidance. A full report on our               What\tWe\tRecommend\t\nevaluation was prepared for FTC internal use\nonly.                                                   Program consistency and compliance needs to be reinforced\n                                                        through visible monitoring and oversight by FTC IT\n                                                        governance boards and senior management.\n\n\n                                                                                                          AR 14-002\n\x0c'